Build trust with Privacy in 2024

No, there are differences. Regulations like GDPR are mandatory obligations that apply if your data processing activities meet the criteria of the regulation. The regulation sets out the detailed compliance requirements. If you operate in accordance with those requirements, you are compliant, regardless of whether you issue an attestation report. 

An attestation report is used to provide third parties with evidence of your compliance with an independent audit that earns and maintains trust in your compliance. That’s especially important where your customers rely on your compliance for their own compliance, eg. If they are using your software or services with the personal data of their customers. 

There are many global privacy regulations that may apply to your data processing activities.

For regulations like the GDPR, Australian Privacy Principles and New Zealand Privacy Act, there is no materiality level applied. That means you need to comply with the regulations if you collect any personal data from citizens of the EU, Australia or New Zealand respectively.

Regulations like the California Privacy Act (CCPA/CPRA) and several other American state-specific regulations, there is a materiality level applied to the scale of data collected and in some cases the company turnover and whether the sale of personal data is conducted.

The International Association of Privacy Professionals (IAPP) has some great resources to guide you on your requirements, including this helpful mapping of global regulations.

It is common to engage legal counsel to interpret the requirements of the regulation and how they apply to your data processing activities and operations. This is not required by the regulation itself, however. Many organisations, especially with a simpler or smaller scope of handling personal data find they can follow the principals and requirements of the regulation without needing legal counsel.

A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes in place to satisfy the relevant privacy regulatory clauses.

A Type 2 report attests to your compliance by both design and operation over a period of time. It covers a period between 3-12 months to show your systems and processes have been operated consistently to satisfy the relevant privacy regulatory clauses.

Usually, a Type 1 report is issued first to baseline compliance. That marks the start of the live and recurring Type 2 audit periods for reports issued annually.

Regulations like the GDPR and other similar privacy rights and acts, are based on principles. That provides flexibility and room for judgment when it comes to applying those regulations. It recognises that there is subjectivity and varied circumstances that apply when handling personal data. 

The articles of the GDPR and other privacy regulations give more specific guidance and some hard requirements driven by those overarching principles designed to protect consumers interests.

We developed PolicyTree to address the challenge our clients face when defining and documenting compliance policies. PolicyTree collects data points about the privacy regulations that apply, your data processing activities and systems, and then branches out into what’s relevant to your privacy practices. You select the components that apply and input details related to your preferences or current state of operation to generate a set of policies, including a Privacy Statement and Privacy Policy document. This links through to the relevant acts and clauses from 16 privacy regulations including the GDPR.